EMAIL HEADER ANALYSIS
NETWORK SECURITY — PHISHING INVESTIGATION LAB
HEADERS · SPF · DKIM · DMARC · HOP ANALYSIS · URL INSPECTION
Loading suspicious email: ticket-48821.eml...

OBJECTIVES

Identify the spoofed From address
Find the true sending IP
Analyse the delivery hop chain
Check SPF / DKIM / DMARC results
Identify the timestamp anomaly
Find the malicious URL / lookalike domain
Analyse the URL with the URL inspector
Submit the phishing report
📧
Email Viewer
🔀
Hop Analyser
🔐
Auth Results
🔗
URL Inspector
📖
Reference
📝
Notepad
📋
Report
EMAIL ANALYSIS
Email Viewer
Hop Chain
Auth Results
URL Inspector
Reference
Notepad
Report
--:--:--
PHASE 1 — HEADER ANALYSIS
MISSION BRIEF
NETWORK SECURITY — PHISHING TRIAGE

EMAIL HEADER ANALYSIS

FILE: ticket-48821.eml — Reported by: j.porter@apexcorp.local

SCENARIO

User j.porter received a suspicious email claiming to be from Microsoft Security and reported it to the SOC. Analyse the email headers and body to determine whether this is a phishing attempt, identify all indicators of compromise, and document your findings.

WHAT TO ANALYSE

  • Check From vs Return-Path — are they the same domain?
  • Find the originating IP in the Received headers
  • Review the delivery hop chain for anomalies
  • Check SPF, DKIM, DMARC authentication results
  • Look at the send timestamp and timezone
  • Inspect any URLs in the body carefully

TOOLS

ToolPurpose
Email ViewerHeader list, raw view, body
Hop AnalyserVisualise mail relay chain
Auth ResultsSPF/DKIM/DMARC summary
URL InspectorAnalyse links safely
EMAIL VIEWER — ticket-48821.eml
Headers
Raw Source
Email Body
Click a header to inspect it
MAIL HOP CHAIN — DELIVERY PATH
Received headers parsed bottom-up — earliest hop first. Each hop shows the handoff between mail servers.
EMAIL AUTHENTICATION RESULTS
URL INSPECTOR — SAFE ANALYSIS
Paste a URL from the email body to inspect it safely without visiting the site...
REFERENCE — EMAIL SECURITY
EMAIL AUTHENTICATION
SPF (Sender Policy Framework) — DNS TXT record listing IP addresses authorised to send for a domain. FAIL means the sending IP is not listed.

DKIM (DomainKeys Identified Mail) — cryptographic signature on headers/body. FAIL means the signature doesn't match — message was modified or the key is wrong.

DMARC (Domain-based Message Authentication) — policy tying SPF and DKIM to the From: domain. Fail + policy=reject means the email should have been blocked.
RECEIVED HEADER CHAIN
Received headers are added by each mail server that handles the message. Read them bottom-up — the bottom is the origin, top is the destination. The first Received header (bottom) contains the true originating IP.
SPOOFING INDICATORS
From: domain differs from Return-Path: domain
Reply-To: goes to a different domain than From:
X-Originating-IP not matching From: domain
SPF FAIL on the From: domain
DKIM signature domain (d=) differs from From: domain
Message-ID domain differs from From: domain
LOOKALIKE DOMAINS
Character substitution: microsofft.com (double f), paypa1.com (one instead of l)
Homoglyphs: micrоsoft.com (Cyrillic о)
Subdomains: microsoft.com.attacker.net
Typosquatting: microsodt.com
Hyphenation: micro-soft.com
TIMESTAMP ANALYSIS
Check Date: header timezone against claimed sender location. A message from a US company sent at 3:14am EST on a Tuesday is unusual. Timezone offset in the Date header reveals where the email was composed.
NOTEPAD
PHISHING ANALYSIS REPORT
FINDINGS
Score: 0 / 8